Here’s a riddle for you: lie back, relax, close your eyes, and think about the last time you did a SWOT analysis. Let’s forget about the opportunities and threats for now and try to recall the strengths and weaknesses. So, here’s the question: what exact same entry did you list under both of those headings?
If it wasn’t ‘employees’, then it’s time to go back to the drawing board.
Your business wouldn’t be there without your workforce, which is why bosses commonly list their employees as a key strength but, as a recent survey commissioned by Sungard Availability Services confirmed, they are also a major weakness when it comes to information security.
In the survey of 276 IT professionals, the collective opinion was that their organisations aren’t doing enough to protect critical data and systems. Respondents cited the greatest concerns as poor employee security behaviour, such as bad password habits, and a general lack of security awareness.
Two specific actions were singled out by the IT professionals: 62% said carelessness with devices – i.e. leaving laptops and mobile phones in vulnerable places - was their organisation’s most common security threat; this was followed by employee password sharing (51%).
Sungard’s is not the only survey to reach the conclusion that employees are the weak link in the cybersecurity chain: the not-for-profit Online Alliance Trust’s survey found that only 40% of attacks involving loss of personally identifiable information originated externally.
In this day and age, with all the hype in the news about Hollywood hacks and big business breaches, it’s difficult to accept that the message about being conscientious with passwords, and being careful with devices whilst on the move, hasn’t sunk in. But it hasn’t.
In the face of such ignorance, business bosses just have to take a deep breath and crack on with plugging the corporate cybersecurity message: ensure employees don’t use the same password on more than one account; make sure they know what constitutes a strong password (a minimum of 15 characters, including mixed cases, numbers, symbols and special characters); and show them how to spot attempts at phishing and social engineering.
Whilst it’s comforting to think that steps can be taken to overcome ignorance and increase awareness, it’s worth noting that, in the Ponemon Institute’s latest annual survey into data hacking costs, 35% of businesses experienced attacks which originated from malicious insiders.
They also found that the costs associated with this kind of attack are the highest and take twice as long to contain…something for the HR staff relations team to ponder on. And while they’re doing that, you can institute an audit trail of access, only grant essential access for each employee, centralise password management, and immediately cease access of any employee who leaves.
You may think that a malicious insider hits top spot on the scale of wickedness, but what about employees who know about security but don’t give a fig? They’re the ones who think they were hired to do their job, not IT’s job. They’re the ones who know that passwords should be long and complex, but they can’t be bothered.
In addition to educating employees about the staggering costs associated with data breaches, and how it will affect their livelihood, you can set the password bar very high: don’t follow the usual business practice of asking people to create strong passwords and at the same time allow them to get away with the typical 8-character minimum.
If you weren’t aware of the scale to which employees are a company’s weak link, don’t compound the mistake by thinking that implementing a cybersecurity policy can offer a fix-it-once-and-forever solution to the problem. It’s as impossible as the idea of perpetual motion: you cannot avoid loss of energy in any system.
Remember that new, ignorant employees will come into the fold, that short cuts and laziness are natural consequences of being human, and that there’s a disgruntled maker-of-mayhem lurking at a desk near you…
Employee education and enlightenment is a lifelong business challenge but, in terms of ROI, worth every penny of commitment.
If you are worried about your organization being the victim of a hacking incident, check out our free guide on How to Protect Your Company from being Hacked.